dynamic packet filter

A dynamic packet filter is a firewall facility that can monitor the state of active connections and use this information to determine which network packets to allow through the firewall. By recording session information such as IP addresses and port numbers, a dynamic packet filter can implement a much tighter security posture than a static packet filter.

For example, assume that you wish to configure your firewall so that all users in your company are allowed out to the Internet, but only replies to users' data requests are let back in. With a static packet filter, you would need to permanently allow in replies from all external addresses, assuming that users were free to visit any site on the Internet. This kind of filter would allow an attacker to sneak information past the filter by making the packet look like a reply (which can be done by indicating "reply" in the packet header).

By tracking and matching requests and replies, a dynamic packet filter can screen for replies that don't match a request. When a request is recorded, the dynamic packet filter opens up a small inbound hole so only the expected data reply is let back through. Once the reply is received, the hole is closed. This dramatically increases the security capabilities of the firewall.

This was last updated in April 2007

Dig Deeper on Network Security Best Practices and Products